File CVE-2025-48060-1.patch of Package jq.40020
From dc849e9bb74a7a164a3ea52f661cc712b1ffbd43 Mon Sep 17 00:00:00 2001
From: itchyny <itchyny@cybozu.co.jp>
Date: Tue, 4 Mar 2025 22:13:55 +0900
Subject: [PATCH] Improve performance of repeating strings (#3272)
This commit improves the performance of repeating strings, by copying
the result string instead of the string being repeated. Also it adds
an error message when the result string is too long.
---
src/builtin.c
src/jv.c
src/jv.h
tests/jq.test
4 files changed
Upstream patch backported to jq-1.6 by Nathan Cutler <ncutler@suse.com>
Index: jq-1.6/src/builtin.c
===================================================================
--- jq-1.6.orig/src/builtin.c
+++ jq-1.6/src/builtin.c
@@ -308,19 +308,10 @@ static jv f_multiply(jq_state *jq, jv in
str = b;
num = a;
}
- int n;
- size_t alen = jv_string_length_bytes(jv_copy(str));
- jv res = str;
-
- for (n = jv_number_value(num) - 1; n > 0; n--)
- res = jv_string_append_buf(res, jv_string_value(str), alen);
-
+ double d = jv_number_value(num);
jv_free(num);
- if (n < 0) {
- jv_free(str);
- return jv_null();
- }
- return res;
+ return jv_string_repeat(str,
+ d < 0 || isnan(d) ? -1 : d > INT_MAX ? INT_MAX : (int)d);
} else if (ak == JV_KIND_OBJECT && bk == JV_KIND_OBJECT) {
return jv_object_merge_recursive(a, b);
} else {
Index: jq-1.6/src/jv.c
===================================================================
--- jq-1.6.orig/src/jv.c
+++ jq-1.6/src/jv.c
@@ -675,6 +675,32 @@ jv jv_string_indexes(jv j, jv k) {
return a;
}
+jv jv_string_repeat(jv j, int n) {
+ assert(jv_get_kind(j) == JV_KIND_STRING);
+ if (n < 0) {
+ jv_free(j);
+ return jv_null();
+ }
+ int len = jv_string_length_bytes(jv_copy(j));
+ int64_t res_len = (int64_t)len * n;
+ if (res_len >= INT_MAX) {
+ jv_free(j);
+ return jv_invalid_with_msg(jv_string("Repeat string result too long"));
+ }
+ if (res_len == 0) {
+ jv_free(j);
+ return jv_string("");
+ }
+ jv res = jv_string_empty(res_len);
+ res = jvp_string_append(res, jv_string_value(j), len);
+ for (int curr = len, grow; curr < res_len; curr += grow) {
+ grow = MIN(res_len - curr, curr);
+ res = jvp_string_append(res, jv_string_value(res), grow);
+ }
+ jv_free(j);
+ return res;
+}
+
jv jv_string_split(jv j, jv sep) {
assert(jv_get_kind(j) == JV_KIND_STRING);
assert(jv_get_kind(sep) == JV_KIND_STRING);
Index: jq-1.6/src/jv.h
===================================================================
--- jq-1.6.orig/src/jv.h
+++ jq-1.6/src/jv.h
@@ -117,6 +117,7 @@ jv jv_string_fmt(const char*, ...) JV_PR
jv jv_string_append_codepoint(jv a, uint32_t c);
jv jv_string_append_buf(jv a, const char* buf, int len);
jv jv_string_append_str(jv a, const char* str);
+jv jv_string_repeat(jv j, int n);
jv jv_string_split(jv j, jv sep);
jv jv_string_explode(jv j);
jv jv_string_implode(jv j);
Index: jq-1.6/tests/jq.test
===================================================================
--- jq-1.6.orig/tests/jq.test
+++ jq-1.6/tests/jq.test
@@ -1169,6 +1169,18 @@ indices(", ")
["a", "ab", "abc"]
["aaa", "ababab", "abcabcabc"]
+. * 100000 | [.[:10],.[-10:]]
+"abc"
+["abcabcabca","cabcabcabc"]
+
+. * 1000000000
+""
+""
+
+try (. * 1000000000) catch .
+"abc"
+"Repeat string result too long"
+
[.[] / ","]
["a, bc, def, ghij, jklmn, a,b, c,d, e,f", "a,b,c,d, e,f,g,h"]
[["a"," bc"," def"," ghij"," jklmn"," a","b"," c","d"," e","f"],["a","b","c","d"," e","f","g","h"]]
